b'                            OFFICE OF\n                     THE INSPECTOR GENERAL\n\n\n                         U.S. NUCLEAR\n                    REGULATORY COMMISSION\n\n\n\n                        Review of NRC\xe2\x80\x99s Personnel\n                             Security Program\n\n                      OIG-04-A-11        March 25, 2004\n\n\n\n\n                       AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                            March 25, 2004\n\n\n\n\nMEMORANDUM TO:               William D. Travers\n                             Executive Director for Operations\n\n\n\nFROM:                        Stephen D. Dingbaum/RA/\n                             Assistant Inspector General for Audits\n\n\nSUBJECT:                     REVIEW OF NRC\xe2\x80\x99S PERSONNEL SECURITY PROGRAM\n                             (OIG-04-A-11)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Review of NRC\xe2\x80\x99s Personnel\nSecurity Program.\n\nAuditors found that despite enhancements made in recent years to NRC\xe2\x80\x99s personnel security\nprogram, further action is needed to bring the program into compliance with agency\nrequirements and ensure that the agency is responding appropriately to heightened security\nconcerns since the terrorist attacks of September 11, 2001. Specifically, NRC needs to adhere\nto agency security clearance reinvestigation requirements, improve controls to ensure that\nemployees return their badges and complete the security-termination statement prior to\ntermination, improve accuracy of automated personnel security data, and begin processing\nsummer interns for clearances earlier so that NRC can fully benefit from money spent on such\nclearances each year.\n\nThe report makes 12 recommendations to the Executive Director for Operations to strengthen\ncontrols over the personnel security program.\n\nDuring an exit conference on March 9, 2004, the Executive Director for Operations provided\ncomments concerning the draft audit report. We modified the report as we determined\nappropriate in response to these comments.\n\nIf you have any questions, please contact me at 415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\ncc:     William Dean, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB.J. Garrick, ACNW\nM. Bonaca, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nE. Merschoff, CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDH/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nJ. Dyer, NRR\nG. Caputo, OI\nP. Bird, HR\nC. Kelley, SBCR\nM. Virgilio, NMSS\nS. Collins, DEDR\nA. Thadani, RES\nP. Lohaus, STP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, NSIR\nR. Wessman, IRO\nH. Miller, RI\nL. Reyes, RII\nJ. Caldwell, RIII\nB. Mallett RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                                                       Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nEXECUTIVE SUMMARY\n\n    BACKGROUND\n\n          The Atomic Energy Act of 1954, as amended, requires all NRC employees to\n          have a security clearance, but allows employees to begin working for NRC prior\n          to their clearance, provided the Commission determines that such employment is\n          in the national interest and the employee does not have access to classified\n          information. Today, nearly all NRC employees are permitted to begin work\n          before receiving a security clearance, but only after the Division of Facilities and\n          Security (DFS) conducts an in-house review, determines there are no factors\n          that constitute a security risk, and grants the individual a preappointment\n          investigation waiver to begin work. To receive and maintain a security\n          clearance, NRC employees must undergo an initial background investigation and\n          periodic reinvestigations in accordance with Federal standards. As of November\n          2003, 161 NRC employees were working under preappointment investigation\n          waivers, 716 had Q clearances, 2,137 had L clearances, and 208 were\n          designated as L-High Public Trust.\n\n    PURPOSE\n\n          The audit objectives were to determine whether (1) NRC is in compliance with\n          external and internal personnel security requirements and (2) NRC\xe2\x80\x99s personnel\n          security program is efficiently managed.\n\n    RESULTS IN BRIEF\n\n          Despite enhancements made in recent years to NRC\xe2\x80\x99s personnel security\n          program, further action is needed to (1) bring the program into compliance with\n          agency requirements and (2) ensure that the agency is responding appropriately\n          to heightened security concerns since the terrorist attacks of September 11,\n          2001. Specifically, NRC needs to adhere to agency security clearance\n          reinvestigation requirements, improve controls to ensure that employees return\n          their badges and complete the security-termination statement prior to\n          termination, improve accuracy of data stored in personnel security automated\n          files, and begin processing summer interns for clearances earlier so that NRC\n          can fully benefit from money spent on such clearances each year.\n\n          Personnel Security Program Not in Compliance With NRC Security\n          Clearance Reinvestigation Requirements\n\n          Each year since 2001, the agency has failed to comply with its own\n          reinvestigation timeliness requirements. According to NRC Management\n          Directive and Handbook (MD) 12.3, \xe2\x80\x9cNRC Personnel Security Program,\xe2\x80\x9d DFS\n          must reevaluate at least every 5 years the continued eligibility of employees with\n          Q clearances and LH designations. For those with L clearances, MD 12.3\n\n\n\n                                            i\n\x0c                                            Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\nrequires reevaluations at least every 10 years. Yet, each year since 2001, DFS\nhas not fully complied with this reevaluation requirement. Furthermore, 426\nemployees have L clearances based on a reinvestigation that does not meet\nFederal standards issued in 1997. Although the Office of Personnel\nManagement considers these clearances to be acceptable until 2007, it would be\ngood practice for NRC to bring these employees into compliance with the current\nstandards sooner. DFS is aware of these issues, but has not devoted adequate\nresources to address them. NRC can strengthen its reinvestigation program by\nfollowing its own reinvestigation standards and proactively ensuring that all\nemployee clearances are based on current Federal standards.\n\nNRC Lacks Adequate Management Controls To Ensure That Employees\nReturn Badges and Complete the Security Termination Statement During\nSeparation-Clearance Process\n\nNRC requires that employees return their badges and sign a security termination\nstatement as part of the separation-clearance process. However, some\nemployees fail to do so because NRC lacks management controls to enforce this\nrequirement, does not follow existing policies pertaining to consultant and\nregional office terminations, and lacks adequate written guidance on badge\nreturn for consultants and regional office employees. If not returned to the\nagency, employee badges, which allow access to NRC facilities, could be\nmisused by individuals with malicious intent toward NRC and its employees.\nFurthermore, the agency misses an important opportunity to caution employees\non their responsibility to protect sensitive and classified information.\n\nPersonnel Security Program Information Systems Contain Unreliable\nInformation\n\nDiscrepancies between data stored in the personnel security automated files and\nthe paper files, and inaccuracies in these files, indicate problems with data\nreliability. These data reliability issues exist because managers did not ensure\nthat staff members consistently followed office procedures to enter data into\nDFS\xe2\x80\x99s former automated system (the PERSEC Modules). In addition, DFS\xe2\x80\x99s\nexisting quality control measure for data accuracy was insufficient to prevent\nthese inaccuracies. Without a new approach to ensure data reliability, NRC\nlacks assurance that these problems will not recur in the agency\xe2\x80\x99s new system,\nthe Integrated Personnel Security System.\n\nNRC Fails To Benefit From Dollars Spent on Summer Intern Security\nClearances\n\nNRC spends approximately $8,100 each year on OPM background\ninvestigations for summer interns; however, in the majority of cases, the interns\nterminate their NRC employment before OPM responds with an investigative\nreport or before NRC can adjudicate the results so that a clearance could be\ngranted. This failure to benefit from the OPM background investigation occurs\n\n                                 ii\n\x0c                                               Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\n     because NRC\xe2\x80\x99s requests for these investigations are made too late to receive a\n     timely response from OPM. Additionally, when summer interns terminate\n     employment prior to the return of OPM\xe2\x80\x99s investigative report, NRC does not\n     cancel the investigation in progress in accordance with OPM policy. NRC needs\n     to revise its timeline for hiring summer interns so that the agency can benefit\n     from the money spent on background investigations for these individuals and to\n     better comply with OPM requirements concerning cancellations.\n\nRECOMMENDATIONS\n\n     This report makes 12 recommendations to the Executive Director for Operations\n     to strengthen controls over the personnel security program. A consolidated list\n     of recommendations appears on page 20 of this report.\n\nAGENCY COMMENTS\n\n     On March 9, 2004, the Executive Director for Operations provided comments\n     concerning the draft audit report. We modified the report as we determined\n     appropriate in response to these comments. Appendix B contains both NRC\xe2\x80\x99s\n     comments and our specific response to each.\n\n\n\n\n                                    iii\n\x0c                           Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                                   Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nABBREVIATIONS AND ACRONYMS\n\n    ADM              Office of Administration (NRC)\n    ANACI            Access National Agency Check with Inquiries\n    CFR              Code of Federal Regulations\n    DFS              Division of Facilities and Security (NRC)\n    DOI              U.S. Department of Interior\n    FY               Fiscal Year\n    HR               Office of Human Resources (NRC)\n    IPSS             Integrated Personnel Security System\n    LH               L \xe2\x80\x93 High Public Trust\n    MD               Management Directive and Handbook\n    NACLC            National Agency Check With Law and Credit\n    NRC              U.S. Nuclear Regulatory Commission\n    OCIO             Office of the Chief Information Officer (NRC)\n    OGC              Office of the General Counsel (NRC)\n    OIG              Office of the Inspector General (NRC)\n    OPM              U.S. Office of Personnel Management\n    PERSEC Modules   Personnel Security Modules\n    SSBI             Single Scope Background Investigation\n    SSBI \xe2\x80\x93 PR        Single Scope Background Investigation \xe2\x80\x93 Periodic Reinvestigation\n\n\n\n\n                                       v\n\x0c                           Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                                                 Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nTABLE OF CONTENTS\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n\nABBREVIATIONS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v\nI.       BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\nII.      PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\nIII.     FINDINGS          ..........................................................4\n                   A.         NRC IS NOT IN FULL COMPLIANCE W ITH AGENCY SECURITY CLEARANCE\n                              REINVESTIGATION REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\n                   B.         NRC LACKS ADEQUATE MANAGEMENT CONTROLS TO ENSURE THAT\n                              EMPLOYEES RETURN BADGES AND COMPLETE THE SECURITY TERMINATION\n                              STATEMENT DURING SEPARATION-CLEARANCE PROCESS . . . . . . . . . . . . . 9\n\n                   C.         PERSONNEL SECURITY PROGRAM INFORMATION SYSTEMS CONTAIN\n                              UNRELIABLE INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14\n\n                   D.         NRC FAILS TO BENEFIT FROM DOLLARS SPENT ON SUMMER INTERN\n                              SECURITY CLEARANCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17\n\nIV.      CONSOLIDATED LIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 20\nV.       AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21\n         APPENDICES\n                   A.         SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23\n                   B.         AGENCY COMMENTS AND OIG RESPONSE . . . . . . . . . . . . . . . . . . 24\n\n\n\n\n                                                                 vii\n\x0c                           Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              viii\n\x0c                                                                         Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nI. BACKGROUND\n\n                  Federal agency security programs have received increased attention in recent\n                  years because of (1) espionage activities that have had a significant impact on\n                  national security and (2) concerns raised in the aftermath of the terrorist attacks\n                  of September 11, 2001. These security programs address agency physical\n                  security protections \xe2\x80\x94 the physical and technological barriers that protect a\n                  facility from intrusion by unauthorized vehicles, individuals, or packages \xe2\x80\x94 and\n                  personnel security protections. Personnel security programs implement\n                  measures to ensure that agency staff can be trusted to work with and protect\n                  classified information and to prevent the hiring of employees who might\n                  otherwise be untrustworthy or unsuitable for Federal Government employment.\n\n                  All Government employees must undergo a background investigation to work for\n                  the Federal Government. The type of investigation required depends on the type\n                  of work the individual will perform. For example, Federal employees needing\n                  Confidential, Secret, and L clearances undergo an Access National Agency\n                  Check With Inquiries (ANACI), while a Single-Scope Background Investigation\n                  (SSBI) is required for Top Secret and Q clearances.1 Each of these\n                  investigations involves various record checks (e.g., law enforcement, criminal\n                  history, financial) and contact with references. However, the SSBI is more\n                  extensive and involves personal interviews with the subject and references, while\n                  the ANACI does not include a subject interview and relies on written information\n                  provided by references. Individuals with Q and L clearances must also undergo\n                  periodic reinvestigations; reinvestigations for Q clearances are more extensive\n                  and occur more frequently than those for L clearances. Government employees\n                  who will not be working with classified information are required to undergo at\n                  least an investigation to assess their \xe2\x80\x9csuitability\xe2\x80\x9d2 for Federal employment.\n\n                  NRC\xe2\x80\x99s Personnel Security Program\n\n                  The Atomic Energy Act of 1954, as amended, requires all NRC employees to\n                  have a security clearance, but allows employees to begin working for NRC prior\n                  to their clearance \xe2\x80\x94 provided the Commission determines that such\n                  employment is in the national interest and the employee does not have access to\n                  classified information. Today, nearly all NRC employees are permitted to begin\n                  work prior to receiving a security clearance, but only after the Division of\n\n\n         1\n          To work with Confidential, Secret, or Top Secret classified information, individuals must receive at least the\ncorresponding level of security clearance (i.e., Confidential, Secret, Top Secret). Pursuant to the Atomic Energy Act\nof 1954, as amended, NRC uses a separate system; employees receive either an L clearance, which equates to a\nConfidential or Secret clearance, or a Q clearance, which equates to a Top Secret clearance.\n         2\n           According to Title 5, Part 731, Code of Federal Regulations (5 CFR Part 731), \xe2\x80\x9cSuitability,\xe2\x80\x9d the\ndetermination of suitability for Federal employment is based on an individual\xe2\x80\x99s character or conduct that may have\nan impact on the integrity or efficiency of the service. These determinations of suitability for Federal employment are\ncharacterized in 5 CFR Part 731 as different from determinations of eligibility for assignment to sensitive national\npositions.\n\n                                                           1\n\x0c                                             Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\nFacilities and Security (DFS) conducts an in-house review of the prospective\nemployee\xe2\x80\x99s background information as reported by the individual, credit history,\nand criminal history; evaluates the results; and determines there are no factors\nthat constitute a security risk to the agency. Based on this review, NRC grants\nan initial approval for the employee to begin work. This approval is referred to as\na preappointment investigation waiver.\n\nAfter NRC grants this initial approval to begin work (with no access to classified\ninformation), the agency requests a full background investigation, appropriate for\neither an L or Q clearance, from the Office of Personnel Management (OPM).\nDue to an increase in background investigation requests since September 11,\n2001, OPM is taking longer to complete its work than in the past. According to a\nDFS staff member, although NRC routinely requests (and pays for) the standard\n120-day turnaround on background investigations, it takes OPM about 6 to 9\nmonths to respond for L-clearance investigations and 12 to 18 months for Q-\ninvestigation requests.\n\nAfter the OPM background investigation is returned to NRC, DFS staff evaluate\nthe subject in light of the OPM investigative report information. Based on the\nissues raised, it may take DFS several months to more than a year to complete\nthis review and make a recommendation to the DFS Director to grant or deny a\nsecurity clearance. As a result, some NRC employees work for up to 2 years at\nNRC before receiving a security clearance.\n\nIn addition to granting employees Q and L clearances, NRC has an additional\n\xe2\x80\x9cL\xe2\x80\x93High Public Trust\xe2\x80\x9d (LH) designation that it uses for employees who hold high\npublic trust positions (e.g., resident inspectors). These employees do not require\na Q clearance because they do not work with Secret or Top Secret Restricted\nData or Top Secret National Security Information. Individuals designated as LH\nare initially investigated at the Q level. These individuals are then reinvestigated\nat L level, but more frequently than those with regular L clearances. As of\nNovember 2003, 161 employees were working under preappointment\ninvestigation waivers, 716 employees had Q clearances, 2,137 had L clearances,\nand 208 were designated as LH. [See Figure 1.]\n\n\n\n\n                                  2\n\x0c                                                  Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\n\n           NRC Employees in Each Clearance Category as of\n                          November 2003\n    Preappointment           N = 3,222\n        Waiver\n       5% = 161\n\n\n       LH\n     6% = 208                                            Q\n                                                      22% = 716\n\n\n\n\n           L\n       67% = 2137\n\n\n\n\n                        Q    L   LH    Preappointment Waiver\n\n\n\n\nFigure 1.\n\n        NRC maintains personnel security information on employees in paper files and in\n        an automated data system referred to as the Personnel Security (PERSEC)\n        Modules. In December 2003, DFS implemented a new automated data system,\n        the Integrated Personnel Security System (IPSS), to replace the PERSEC\n        Modules. IPSS is intended to be more efficient and user-friendly with more\n        reporting capabilities than the PERSEC Modules, which are viewed as\n        cumbersome and inadequate. Initially scheduled for implementation in May 2003,\n        IPSS was not installed on the NRC server for testing until September 30, 2003.\n        As of December 2003, NRC had completed the transition to IPSS and had\n        stopped entering data into the PERSEC Modules.\n\n        During FY 2003, NRC spent $971,710 on background investigation requests for\n        employees, contractors, and licensees. Currently, there are five DFS staff\n        members and four contractor staff working to process employees for clearance\n        under NRC\xe2\x80\x99s personnel security program.\n\n\n                                       3\n\x0c                                                     Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\nII. PURPOSE\n\n          The audit objectives were to determine whether (1) NRC is in compliance with\n          external and internal personnel security requirements and (2) NRC\xe2\x80\x99s personnel\n          security program is efficiently managed. This audit report pertains to NRC\xe2\x80\x99s\n          personnel security program for employees; a report issued in November 2003\n          (OIG-04-A-02) addressed the agency\xe2\x80\x99s personnel security policies and practices\n          for contractors.\n\n\nIII. FINDINGS\n\n          Despite enhancements made in recent years to NRC\xe2\x80\x99s personnel security\n          program, further action is needed to (1) bring the program into compliance with\n          agency requirements and (2) ensure that the agency is responding appropriately\n          to heightened security concerns since the terrorist attacks of September 11,\n          2001. Specifically,\n\n          \xe2\x80\x9a      NRC should strengthen its security clearance reinvestigation program by\n                 adhering to agency timeliness requirements and proactively ensuring that\n                 all employee clearances are based on current investigative standards.\n\n          \xe2\x80\x9a      NRC lacks adequate management controls to ensure that, prior to\n                 termination, employees complete the personnel security portion of the\n                 separation-clearance process.\n\n          \xe2\x80\x9a      NRC\xe2\x80\x99s former and current automated personnel security databases\n                 contain unreliable information.\n\n          \xe2\x80\x9a      NRC frequently does not benefit from money spent to obtain security\n                 clearances for summer interns.\n\n\n     A. NRC IS NOT IN FULL COMPLIANCE WITH AGENCY SECURITY CLEARANCE\n     REINVESTIGATION REQUIREMENTS\n\n          All NRC employees are required to have current security clearances in\n          accordance with Federal investigative standards. While NRC is currently in\n          compliance with these Federal standards, each year since 2001, the agency has\n          failed to comply with its own reinvestigation timeliness requirements.\n          Furthermore, 426 employees have L clearances based on a reinvestigation that\n          does not meet Federal standards issued in 1997. Although OPM considers these\n          clearances to be acceptable until 2007, it would be good practice for NRC to bring\n          these employees into compliance with the current standards sooner. DFS is\n          aware of these issues, but has not devoted adequate resources to address them.\n          NRC can strengthen its reinvestigation program by following its own\n\n                                           4\n\x0c                                                                      Review of NRC\xe2\x80\x99s Personnel Security Program\n\n                 reinvestigation standards and proactively ensuring that all employee clearances\n                 are based on current Federal standards.\n\n                 Atomic Energy Act Requires Security Clearances for Employees\n\n                 NRC employees must have a security clearance3 and their clearances must be\n                 reapproved on a regular basis in accordance with Federal investigative standards\n                 that have been in effect since October 1997. [See Table 1.]\n\n        Table 1.\n\n\n\n                  Security Clearance Investigation Requirements\n\n\n Clearance            Initial              Initial           Reinvestigation          Reinvestigation\n    Type          Investigation         Investigation         Requirements                 Cost\n                  Requirements              Cost\n                                                                                            $1,705.\n       Q          Single Scope              $2,835.           Single Scope\n                   Background                                  Background\n                  Investigation                               Investigation\n                      (SSBI)                                     Periodic\n                                                             Reinvestigation\n                                                                (SSBI-PR)\n                                                             Every 5 Years\n\n       L              Access                 $135.           National Agency                 $120.\n                     National                                Check With Law\n                  Agency Check                                 and Credit\n                  With Inquiries                                 (NACLC)\n                     (ANACI)                                 Every 10 Years\n\n      LH          Single Scope              $2,835.          National Agency                 $120.\n                   Background                                Check With Law\n                  Investigation                                and Credit\n                      (SSBI)                                     (NACLC)\n                                                              Every 5 Years\n\n\n\n\n        3\n          NRC employees are permitted to begin work prior to their clearance, provided the Commission has\ndetermined it to be in the Nation\xe2\x80\x99s interest, the DFS Director determined such employment would not pose a security\nthreat, and the employee does not have access to classified information.\n\n                                                         5\n\x0c                                             Review of NRC\xe2\x80\x99s Personnel Security Program\n\nThese standards require the initiation of Q-clearance reinvestigations every 5\nyears at the SSBI-Periodic Reinvestigation (SSBI\xe2\x80\x93PR) level and L-clearance\nreinvestigations every 10 years at the National Agency Check With Law and\nCredit (NACLC) level. To fulfill these requirements Management Directive and\nHandbook (MD) 12.3, \xe2\x80\x9cNRC Personnel Security Program,\xe2\x80\x9d sets an even higher\nstandard. MD 12.3 specifically states that \xe2\x80\x9cDFS must reevaluate the continued\neligibility of those individuals cleared at the Q level\xe2\x80\x9d at least every 5 years. For\nthose with L clearances, MD 12.3 requires reevaluations at least every 10 years.\nThere are no Federal standards for NRC\xe2\x80\x99s LH designation, but the agency has\nestablished that this designation requires reevaluation based on an NACLC at\nleast every 5 years. While these reinvestigation requirements are defined in MD\n12.3, DFS lacks specific performance measures assessing the agency\xe2\x80\x99s\ncompliance with the targets.\n\nAccording to an OPM official, the reinvestigation standards that existed prior to\n1997 are no longer acceptable today. This official said that the 1997 standards\nwere not accompanied by a directive to bring all employees into compliance\nimmediately, however, agencies were expected to comply as quickly as possible,\ngiven monetary and time considerations. A DFS manager explained that the\n1997 standards reflected a strengthening of investigative requirements for L\nclearances and a shortening of the time period covered for Q clearance\ninvestigations.\n\nPersonnel Security Program Not in Compliance With NRC Security\nClearance Reinvestigation Requirements\n\nEach year since 2001, DFS has not fully complied with the agency\xe2\x80\x99s\nreinvestigation requirement that employees with Q clearances and LH\ndesignations be reevaluated no later than 5 years after the last evaluation and\nthat those with L clearances be reevaluated no later than 10 years after the last\nevaluation. As of January 2004, DFS had not submitted background\nreinvestigation requests to OPM for 142 of 247 employees due for reevaluation\nduring 2003. Furthermore, reinvestigation requests for 63 employees whose\nreevaluations were due in 2002 were not submitted until the end of 2003.\nReinvestigation requests for 125 employees whose reevaluations were due during\n2001 were also submitted too late for employees to be reevaluated during that\nyear; of the 125 cases, 97 were submitted in 2002 and 28 in 2003. [See Table 2.]\nBy failing to submit these reinvestigation requests to OPM in the year the\nreevaluation was required, NRC did not comply with its own requirement to\nreevaluate these employees during that year. NRC can strengthen its\nreinvestigation program by adhering to the timeliness requirements established in\nMD 12.3.\n\n\n\n\n                                  6\n\x0c                                                                     Review of NRC\xe2\x80\x99s Personnel Security Program\n\n         Table 2.\n\n\n\n             Number of NRC Reinvestigation Requests Not Sent to OPM During Year\n                            Reevaluation By NRC Was Required\n\n\n  Year                   2001                         2002                                   2003\n  Number                  125                           63                                    142\n\n\n                 Another area for improvement pertains to employees whose last security\n                 clearance reinvestigation does not meet current standards for these\n                 investigations. OIG identified that 33 of 98 personnel security files4 reviewed for\n                 this audit reflected L clearances based on a background investigation that is no\n                 longer appropriate. Subsequent to an exit conference held February 2, 2004,\n                 OIG learned that there are 426 NRC employees with L clearances not based on\n                 the current standards.\n\n                 Although DFS is addressing these issues, progress is slow. For example, in April\n                 2003, the single DFS staff member assigned to manage the reinvestigation\n                 program had reported that reinvestigation requests had not been made to OPM\n                 for 91 employees due for reevaluation in 2001 and 2002. Competing work\n                 priorities, difficulties in locating some employee files, and slow responsiveness\n                 from agency employees to complete the required forms were hampering this\n                 effort. By the end of October 2003, the effort to identify individuals with outdated\n                 clearances and submit these names to OPM for reinvestigation had not\n                 progressed significantly.5\n\n                 Until recently, DFS\xe2\x80\x99 general approach toward clearances based on the old\n                 standard was to correct the cases that staff identified in the course of the office\xe2\x80\x99s\n                 day-to-day business. More recently, staff have taken a more active approach to\n                 identifying these cases so that the current reinvestigation standards can be\n                 applied. According to DFS staff, implementation of the office\xe2\x80\x99s new automated\n                 personnel security system (IPSS) will facilitate identification of these cases. The\n                 system will cross check reinvestigation type with clearance type and will flag\n                 clearances that are based on the outdated investigation type.\n\n\n\n\n         4\n         The process for selecting the 98 files for review was designed to obtain a random sample that would be\nrepresentative of the overall population of NRC employees.\n         5\n          Only in November and December 2003 \xe2\x80\x94 following a second meeting with OIG to discuss the backlog \xe2\x80\x94\nwas the staff member able to complete the effort.\n\n                                                         7\n\x0c                                            Review of NRC\xe2\x80\x99s Personnel Security Program\n\nDFS Has Not Applied Adequate Resources To Correct Reinvestigation\nIssues\n\nWhile DFS managers are aware that many employee reinvestigation requests are\nsubmitted too late to allow reevaluation in the year it is required, and that a\nnumber of employees have clearances based on an outdated standard, the office\nhas not devoted adequate resources to address these issues in a timely manner.\nAs noted above, only one staff member is assigned to handle the reinvestigation\nprogram. This involves identifying employees for reinvestigation, sending\nemployees the required security forms for completion, and submitting\nreinvestigation requests to OPM. This responsibility is in addition to the\nemployee\xe2\x80\x99s routine duties.\n\nDFS has not applied existing agency resources to fully identify individuals with L\nclearances based on an outdated standard so that the correct standard can be\napplied. While DFS staff explained that it was cumbersome to search in the\nPERSEC Modules for employee clearances not based on current requirements,\nstaff were aware that an Office of Administration (ADM) staff member could\nperform such a search. Yet, DFS staff never asked the ADM staff member to\npursue such an effort. A DFS manager explained that while it would be desirable\nto identify and request new reinvestigations for all employees falling into this\ncategory, it is not a requirement and, therefore, other office responsibilities take\nprecedence. Subsequent to the exit conference, OIG requested that the ADM\nstaff member determine the number of employees with L clearances based on the\nold standard and learned that there are 426 individuals in this category.\n\nDFS staff do not perceive the late requests for 2003 reinvestigations or the failure\nto ensure that L clearances are based on current standards as program\nweaknesses. According to a DFS manager, clearances for employees with\noverdue reinvestigations are not in jeopardy as long as DFS has sent the\nemployees a request to complete the reinvestigation forms. The manager said\nthat clearances do not expire if the employees have received their letter initiating\nthe reinvestigation processing and, according to a DFS staff member, all such\nletters have been sent.\n\nAlthough OPM officials said NRC\xe2\x80\x99s interpretation of Federal requirements is\nacceptable, they also explained that Federal agencies fulfill the requirement in\nvarious ways, ranging from NRC\xe2\x80\x99s approach to others that adjudicate\nreinvestigation results in the year the reinvestigation is due. OIG contacted three\nFederal agencies and found that all adhered to a stricter interpretation than\nNRC\xe2\x80\x99s. Personnel security officials at each of these agencies said they strive to\nsubmit reinvestigation requests to OPM in the year the reinvestigation is due for\ninitiation. One of the agencies goes a step further by trying to submit requests 3\nto 4 months prior to the due date. While NRC\xe2\x80\x99s reinvestigation program is\noperating in compliance with Federal requirements, the agency does not comply\nwith its own timeliness requirements.\n\n\n\n\n                                  8\n\x0c                                                 Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n     Summary\n\n     NRC can strengthen its security clearance reinvestigation program by devoting\n     greater resources to ensure that employees are reinvestigated and reevaluated in\n     accordance with agency requirements and proactively ensuring that clearances\n     are based on current reinvestigation standards. By doing so, NRC can better\n     assure it is taking the necessary measures in this post-September 11\n     environment to protect classified information and prevent the retention of\n     employees who are untrustworthy or unsuitable for Government employment.\n\n     RECOMMENDATIONS\n\n     OIG recommends that the Executive Director for Operations:\n\n     1.     Submit clearance reinvestigation requests to OPM in time to allow NRC to\n            evaluate results in the year the reevaluation is due in accordance with MD\n            12.3.\n\n     2.     By the end of FY 2004, submit requests for OPM reinvestigations for\n            employees with clearances not based on current standards.\n\n     3.     Establish performance measures assessing the timeliness of NRC\xe2\x80\x99s\n            reinvestigation program.\n\n\nB. NRC LACKS ADEQUATE MANAGEMENT CONTROLS TO ENSURE THAT\nEMPLOYEES RETURN BADGES AND COMPLETE THE SECURITY TERMINATION\nSTATEMENT DURING SEPARATION-CLEARANCE PROCESS\n\n     NRC requires that employees return their badges and sign a security termination\n     statement as part of the separation-clearance process. However, some\n     employees fail to do so because NRC lacks management controls to enforce this\n     requirement, does not follow existing policies pertaining to consultant and regional\n     office terminations, and lacks adequate written guidance on badge return for\n     consultants and regional office employees. If not returned to the agency,\n     employee badges, which allow access to NRC facilities, could be misused by\n     individuals with malicious intent toward NRC and its employees. Furthermore, the\n     agency misses an important opportunity to caution employees on their\n     responsibility to protect sensitive and classified information.\n\n     DFS\xe2\x80\x99s Role in Separation-Clearance Process\n\n     NRC requires that individuals separating from the agency obtain certain approvals\n     before they receive their final salary payment. Management Directive and\n     Handbook (MD) 10.8, \xe2\x80\x9cClearances Before Separation or Reassignment,\xe2\x80\x9d provides\n     specific instructions regarding the procedures to be followed and steps involved in\n     obtaining clearance before separation. Generally, employees must handcarry\n     NRC Form 270, \xe2\x80\x9cSeparation Clearance,\xe2\x80\x9d to about 15 offices where a clearing\n\n                                      9\n\x0c                                                                       Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n                  official signs off to indicate that the employee has no financial, property, or other\n                  obligations to that particular office. For headquarters employees, 1 of these 15\n                  offices is DFS, where a clearing official checks \xe2\x80\x9cyes\xe2\x80\x9d or \xe2\x80\x9cno\xe2\x80\x9d to indicate whether\n                  employee has completed Form 136, \xe2\x80\x9cSecurity Termination Statement,\xe2\x80\x9d and\n                  returned his/her badge. The DFS clearing official then signs off on the\n                  separation-clearance form in either case. The process is different for regional\n                  offices. These offices are responsible for recovering the badge and having the\n                  employee complete the security termination statement. According to MD 10.8,\n                  the regional offices are to forward the completed security termination statement to\n                  DFS for retention and to coordinate with DFS concerning badge recovery and\n                  termination of keycard access and security clearance. MD 10.8 does not specify\n                  what the regional offices are to do with the retrieved badges, although MD 12.1,\n                  \xe2\x80\x9cNRC Facility Security Program,\xe2\x80\x9d states that badges must be returned to DFS.\n\n                  Until recently,6 the last stop in the separation-clearance process was the Payroll\n                  Office, where a clearing official would review the form, determine whether the\n                  individual had any outstanding debts, and whether all signature blocks were\n                  completed. Now the last stop in the process is the Office of Human Resources\n                  (HR), where designated staff review the separation-clearance form for\n                  completeness and employee indebtedness before authorizing final pay action.\n\n                  The separation process differs for consultants, who are viewed as employees but\n                  do not need to complete the separation-clearance form prior to termination. MD\n                  10.6, \xe2\x80\x9cUse of Consultants and Experts,\xe2\x80\x9d directs that when an office decides to\n                  terminate (or not extend) a consultant\xe2\x80\x99s appointment, the cognizant office should\n                  notify HR. HR is then required to notify DFS so that DFS can terminate the\n                  consultant\xe2\x80\x99s security clearance and obtain from the consultant a completed\n                  security termination statement. MD 10.6 does not specifically mention badge\n                  return and therefore does not specify who is responsible for ensuring that badge\n                  return occurs.\n\n                  Not All Employees Return Badge, Complete Security Termination Statement\n\n                  Based on a review of records for a random sample of NRC former employees,\n                  OIG learned that some employees failed to return their badges or complete the\n                  security termination statement prior to termination. Furthermore, NRC does not\n                  attempt to withhold final pay action for individuals who failed to complete these\n                  steps in the separation-clearance process.\n\n\n\n\n         6\n         On November 2, 2003, NRC transitioned to the Department of Interior\xe2\x80\x99s (DOI) Federal Personnel/Payroll\nSystem. HR, which serves as a liaison with DOI on payroll issues, is now the final stop in the separation-clearance\nprocess and subsequently reviews the separation clearance form for completeness.\n\n                                                         10\n\x0c                                                                        Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n                  Auditors reviewed records for 667 of 227 former employees who separated during\n                  FY 2003 and found that:\n\n                  \xe2\x80\x9a        DFS lacked indication that a badge had been returned for 13 individuals (5\n                           regional employees, 4 consultants, and 4 headquarters employees).\n\n                  \xe2\x80\x9a        DFS also lacked completed security termination statements for 16 former\n                           employees (5 regional employees, 7 consultants, and 4 headquarters\n                           employees).\n\n                  \xe2\x80\x9a        DFS was unaware that 7 of the 66 were no longer active employees. Six\n                           of these individuals were consultants.\n\n                  Based on a statistical analysis of this data, DFS could lack information concerning\n                  badge return for up to 29 percent (66 employees) of those who terminated NRC\n                  employment during FY 2003.\n\n                  DFS staff were aware that staff separating from NRC occasionally fail to complete\n                  the DFS portion of the separation-clearance process. One DFS staff member\n                  explained that if an employee terminates without completing the security\n                  termination statement and/or returning the badge, DFS mails the individual a\n                  letter requesting that they return either the completed security termination\n                  statement, the badge, or both to NRC. However, the DFS staff member could not\n                  recall that failure to complete this part of the process had ever resulted in a\n                  withholding of final pay action.\n\n                  A Payroll Office manager explained that when employees brought their\n                  separation-clearance form to the Payroll Office (as the last stop in the separation-\n                  clearance process), one of several clearing officials would review the signature\n                  blocks on the form to ensure that all were signed. If any signature blocks were\n                  blank, the clearing official would not authorize final pay action and would direct\n                  the employee back to the appropriate office to complete the process. However,\n                  the manager said that Payroll Office staff were never instructed to review the\n                  yes/no boxes in the DFS portion of the separation-clearance form to determine\n                  whether the specific steps were actually fulfilled. Therefore, the manager\n                  explained, the Payroll Office would not withhold final pay action based on\n                  information in the yes/no boxes.\n\n                  OIG identified three underlying causes for the issues found through the file\n                  review:\n\n                  \xe2\x80\x9a        NRC lacks a management control to enforce the DFS portion of the\n                           separation-clearance process.\n\n\n\n         7\n          The 66 files were selected randomly from the 227 in order to obtain a sample that was reflective of all\nterminating NRC employees.\n\n                                                          11\n\x0c                                            Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\xe2\x80\x9a      Breakdowns in communication hinder the consultant termination process.\n\n\xe2\x80\x9a      Regional communication with headquarters concerning terminations is\n       ineffective.\n\nNRC Lacks Management Control To Enforce Badge Return Portion of\nSeparation-Clearance Process\n\nUnder current NRC policy, the agency cannot withhold final pay action as a\nmeans of motivating employees to return their badges as part of the separation-\nclearance process. Despite wording in MD 10.8 indicating that final pay action\ncould be withheld for failure to complete the process, an Office of the General\nCounsel (OGC) attorney explained that based on Federal regulations and agency\nguidance, an employee\xe2\x80\x99s failure to turn in a security badge does not create a debt\nowed by the employee to the agency that can be recovered through\nadministrative offset of the employee\xe2\x80\x99s salary. However, the attorney agreed that\nNRC could explore certain policy options that might not be legally objectionable.\nOne such option could be to modify the Form 270 to eliminate the yes/no boxes,\nand rely on signature alone as indication the step has been accomplished. In\nOIG\xe2\x80\x99s view, this would offer the agency a stronger tool for increasing control over\nthe return of badges.\n\nBreakdowns in Communication Hinder Consultant Termination Process\n\nNRC has not been following its process for terminating consultants; consequently,\nthe agency lacks assurance that these employees will complete the security\ntermination statement as required or that their security clearance and access to\nNRC will be terminated upon separation from the agency. Furthermore, NRC\nmanagement directives do not specify who is responsible for badge retrieval from\nthese individuals.\n\nTwo specific communication breakdowns have occurred in NRC\xe2\x80\x99s consultant\ntermination process. First, while MD 10.6 specifies that cognizant offices need to\nnotify HR when consultants are terminated, such notification is not routinely\nprovided. Second, even when HR is aware that a consultant has been\nterminated, until recently, DFS was not given notification of the termination. As a\nresult, DFS has been unable to conduct its portion of the process described in the\nMD. After discussing the matter with OIG auditors, HR has initiated a practice of\nadding terminated consultants to a regularly published list of terminated\nemployees which is developed and circulated to certain NRC offices, including\nDFS, each week. Nevertheless, while MD 12.1 specifies generally that employee\nbadges must be returned to DFS, there is no guidance in either MD 12.1, 10.6, or\n10.8 describing procedures for the return of consultant badges.\n\n\n\n\n                                12\n\x0c                                           Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nRegional Communication with Headquarters Concerning Terminations Is\nIneffective\n\nDFS is not receiving security termination statements for all regional employees\nwho terminate and is not being notified in all cases as to whether these\nemployees\xe2\x80\x99 badges were returned. While MD 10.8 requires the regions to\nforward completed security termination statements to DFS and to coordinate with\nDFS concerning badge recovery, the necessary communication and coordination\nwith DFS is not occurring. NRC needs to better describe its expectations for\nregional offices concerning badge return and to better enforce its requirements\nconcerning the security termination statement to facilitate DFS awareness of\nregional actions concerning terminating employees.\n\nSUMMARY\n\nDFS needs to increase its control and knowledge over the employee-termination\nprocess so that it can fully account for the badges of former employees and\nensure that security termination statements are signed. By instituting a stronger\nmeans to encourage employees to return their badges as part of the separation-\nclearance process, implementing existing policies concerning consultants and\nregional offices, and clarifying guidance concerning badge return, NRC will\nreduce the risks posed by employees who fail to undergo this portion of the\nclearance process.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n4.     Eliminate the yes/no boxes from the DFS portion of the separation-\n       clearance form, and require signature for steps completed in this part of\n       the process.\n\n5.     Fully implement existing agency policy concerning termination of\n       consultants.\n\n6.     Fully implement existing agency policy concerning termination of regional\n       employees.\n\n7.     Issue agency guidance specifically concerning return of consultant and\n       regional employee badges to DFS.\n\n\n\n\n                                13\n\x0c                                                                   Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n                 C. PERSONNEL SECURITY PROGRAM INFORMATION SYSTEMS CONTAIN\n                 UNRELIABLE INFORMATION\n\n                 Despite requirements that managers maintain reliable information for\n                 decisionmaking, discrepancies between data stored in the personnel security\n                 automated files and the paper files, and inaccuracies in these files, indicate\n                 problems with data reliability. These data reliability issues exist because\n                 managers did not ensure that staff members consistently followed office\n                 procedures to enter data into DFS\xe2\x80\x99s former automated system (the PERSEC\n                 Modules). In addition, DFS\xe2\x80\x99s existing quality control measure for data accuracy\n                 was insufficient to prevent these inaccuracies. Without a new approach to ensure\n                 data reliability, NRC lacks assurance that these problems will not recur in IPSS.\n                 NRC\xe2\x80\x99s personnel security program needs to require system users to follow\n                 consistent data entry practices and to conduct additional quality control\n                 procedures for data accuracy.\n\n                 Discrepancies Between DFS Automated and Paper Files\n\n                 DFS cannot rely on the accuracy of the personnel security clearance history\n                 information in its paper and automated files. A comparison of personnel security\n                 information recorded in 968 paper files with personnel security information\n                 contained in the corresponding PERSEC Module files revealed discrepancies in\n                 58 of the file pairs. The most frequent discrepancy pertained to first clearance\n                 date; in 44 such cases, the date that NRC first granted clearances for individuals\n                 was recorded differently in the automated system than in the paper files. Also\n                 frequent were discrepancies concerning the first type of clearance an individual\n                 held at NRC; auditors identified 38 such inconsistences. The comparison\n                 between the automated system and the paper files also identified 10\n                 discrepancies in employee current clearance date and 7 discrepancies in current\n                 clearance type. In 58 cases, the PERSEC Modules contained no information\n                 concerning the date that NRC granted the individual\xe2\x80\x99s preappointment\n                 investigation waiver and in 4 cases the date was incorrect. Finally, DFS had no\n                 automated personnel information on file for two consultants included in the\n                 sample. Based on a statistical analysis of this information, personnel security\n                 files for as many as 2,223 employees (69 percent of employees) could contain at\n                 least one of the type of discrepancies noted above and automated data could be\n                 missing for up to 193 employees (6 percent of employees). [See Table 3.]\n\n\n\n\n        8\n         Auditors pulled 98 paper files for review. There were no corresponding automated records in the PERSEC\nModules for 2 of the paper files, therefore only 96 file pairs were available for comparison.\n\n                                                      14\n\x0c                                           Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nTable 3.\n\n\n\n     Discrepancies Between Personnel Security\n             Automated and Paper Files\n                              N = 98\n\n\n Type of Discrepancy              Number of Discrepancies\n\n\n Date of First Clearance                      44\n Type of First Clearance                      38\n Date of Current Clearance                    10\n Type of Current Clearance                     7\n Date of Preappointment                       62\n Investigation Waiver\n File Missing from PERSEC                      2\n Modules\n\nDFS is aware that the PERSEC Modules contain some unreliable information and\nthat this incorrect information was transferred into IPSS as part of the system\ntransition process. DFS staff also are aware of other IPSS data reliability issues\nthat resulted from the data transfer. Therefore, a DFS manager explained, DFS\nis now involved in a data cleanup effort to ensure that current employee\ninformation in IPSS is accurate. The manager could not estimate when the\ncleanup effort would be complete and explained that it was being carried out\nduring employee overtime hours on an ad hoc basis.\n\nDuring the exit conference, the agency commented that there are no\ndiscrepancies between the automated and paper files, but that these two sets of\nfiles track different information with regard to preappointment waiver date, first\nclearance type, and first clearance date. Despite these agency comments,\ninformation in this report concerning discrepancies has not been modified. This is\nbecause the information provided during the exit conference does not adequately\nexplain the discrepancies concerning current clearance type and date and does\nnot explain why two files are missing from the automated records.\n\n\n\n\n                                15\n\x0c                                             Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nData Entry Procedures Not Enforced; Quality Control Measure Insufficient\n\nInaccuracies in PERSEC Modules data exist because managers did not ensure\nthat staff consistently followed office procedures to enter data into the PERSEC\nModules. Furthermore, the PERSEC Modules lack features to prevent data entry\nmistakes. DFS staff explained that IPSS, the replacement for the PERSEC\nModules, contains internal checks to facilitate accuracy and will prevent these\ntypes of data discrepancies from occurring. However, these features will not\neliminate the possibility of inaccurate data entry. For example, while IPSS will not\nallow the user to enter the wrong type of investigation into the system for certain\nclearance types and will not allow illogical dates to be entered, it will not prevent\nerrors if the dates are logical. DFS managers said employees responsible for\ndata entry will be provided with instructions for using the new system correctly,\nhowever, there are no plans for requiring these staff to follow the procedures or to\ncheck that data entered is accurate.\n\nAnother reason for inaccuracies is that the single quality control measure utilized\nby DFS to ensure data accuracy failed to prevent these inaccuracies from\noccurring. According to a DFS staff member, agencies are required every 6\nmonths to report their personnel security data to OPM, and NRC has provided\nthis information to OPM two or three times since mid-2002. According to the staff\nmember, OPM compares the agency information to its information and provides\nNRC with a report highlighting any discrepancies, for example, in birth dates or\nsocial security numbers. NRC is required to correct the information and in some\ncases, provide supporting documentation. Despite this quality control measure,\nOIG found the discrepancies between the automated and paper files mentioned\nearlier in this section.\n\nAlthough the ongoing IPSS data cleanup effort seems likely to ensure an initial\nlevel of accuracy in the IPSS data, DFS officials characterized the cleanup\nprocess as a one-time effort. Quality control measures have not been\nestablished to prevent subsequent deterioration of data quality in IPSS.\n\nSUMMARY\n\nTo better ensure the reliability of the information contained in its automated\nsystems, DFS needs to implement consistent data entry guidance to system\nusers and conduct quality control procedures for data accuracy.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n8.     Issue specific data entry guidance to DFS staff responsible for entering\n       data into IPSS.\n\n\n\n\n                                 16\n\x0c                                                 Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n     9.     Formalize the ongoing IPSS data cleanup effort by documenting this\n            effort. This documentation should include a discussion of resources\n            assigned to the effort and a timeline for completion.\n\n     10.    Establish and implement a procedure to validate data accuracy at least\n            annually.\n\n\nD. NRC FAILS TO BENEFIT FROM DOLLARS SPENT ON SUMMER INTERN\nSECURITY CLEARANCES\n\n     NRC spends approximately $8,100 each summer on OPM background\n     investigations for summer interns; however, in the majority of cases, the interns\n     terminate their NRC employment before OPM responds with an investigative\n     report or before NRC can adjudicate the results so that a clearance could be\n     granted. This failure to benefit from the OPM background investigation occurs\n     because NRC\xe2\x80\x99s requests for these investigations are made too late to receive a\n     timely response from OPM. Additionally, when summer interns terminate\n     employment prior to the return of OPM\xe2\x80\x99s investigative report, NRC does not\n     cancel the investigation in progress in accordance with OPM policy. NRC needs\n     to revise its timeline for hiring summer interns so that the agency can benefit from\n     the money spent on background investigations for these individuals and to better\n     comply with OPM requirements concerning cancellations.\n\n     NRC\xe2\x80\x99s Summer Intern Program\n\n     Each summer, NRC hires between 57 and 65 students to participate in the\n     agency\xe2\x80\x99s summer intern program. These students are hired for a maximum of 89\n     days and, according to an HR staff member, about 25 percent return the following\n     summer for a second summer internship. In accordance with the Atomic Energy\n     Act of 1954, as amended, summer interns \xe2\x80\x94 as NRC employees \xe2\x80\x94 are required\n     to have either a security clearance prior to employment or to receive a\n     preappointment investigation waiver following an in-house DFS background\n     investigation. As is the case with NRC employees in general, most interns begin\n     their summer employment without a security clearance, but with the\n     preappointment investigation waiver. Following the issuance of this waiver, DFS\n     makes a request to OPM for the appropriate background investigation based on\n     the request of the NRC office to whom the intern will report. Based on a sample\n     of intern personnel security records reviewed by auditors, most offices seek L\n     clearances for these students. According to the current OPM price list, the\n     investigation needed to grant an L clearance costs $135.\n\n\n\n\n                                      17\n\x0c                                                                 Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n                NRC Fails To Benefit From OPM Background Investigations for Summer\n                Interns\n\n                OIG reviewed personnel security records for 179 summer interns who terminated\n                their employment during FY 2003. The review found that most summer interns\n                terminate their employment with NRC either before the OPM background\n                investigation results are returned to NRC or, if such results are returned, before\n                NRC can adjudicate them in order to grant a security clearance. Eleven of 17\n                interns who terminated during FY 2003 never received security clearances. In 4\n                of the 11 cases, NRC received the OPM results after the intern terminated. In\n                another four cases, the OPM investigative report had not been returned at the\n                time of the OIG file review, however, the OPM investigation had not been\n                canceled. In three cases, OPM\xe2\x80\x99s report was returned prior to the intern\xe2\x80\x99s\n                termination, but NRC did not have time to adjudicate the results before the\n                intern\xe2\x80\x99s termination. In the six cases where the interns had security clearances,\n                the FY 2003 employment period was not the intern\xe2\x80\x99s first employment period and,\n                according to DFS staff, the clearances were probably based on investigative\n                results received subsequent to the earlier employment period.\n\n                Based on NRC\xe2\x80\x99s practice of hiring approximately 60 interns each summer, and\n                processing most for an L clearance (which costs $135), it appears that the\n                agency spends approximately $8,100 on background investigations for summer\n                interns each summer. Based on the sample of records OIG reviewed in which\n                about 65 percent of the interns did not receive a clearance, it appears that NRC is\n                not benefitting from about $5,265 spent on such investigations each summer.\n\n                NRC Begins Hiring Process Too Late to Grant Clearances\n\n                Most summer interns are unable to receive security clearances because NRC\xe2\x80\x99s\n                schedule for hiring these individuals does not allow enough time for DFS to\n                request and receive the OPM background investigations needed to grant the\n                security clearances. According to an HR staff member, the timeline for the\n                summer intern hiring process is generally as follows:\n\n                During mid-November, HR requests that office directors determine by December\n                30 how many summer interns they will need and in what disciplines for the\n                following summer. Based on the response from the office directors, in mid-\n                January HR circulates resumes of applicants with the requisite backgrounds to\n                the offices, which then select students they would like to hire from this pool. In\n                February, HR mails employment offers and security packages to the prospective\n                interns. According to the HR staff member responsible for the summer intern\n                program, students are given 10 days to contact NRC with a response to the job\n                offer, but no deadline has been given for return of the completed security\n\n\n\n        9\n         These 17 records were part of a random selection of 66 NRC employees who terminated employment\nduring FY 03.\n\n                                                     18\n\x0c                                            Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\npackage needed to process the student for a clearance. The staff member said\nthat the students who accept the employment offer typically return the completed\nsecurity package to HR during April. HR then forwards the security forms to DFS\nto begin the security clearance process.\n\nAccording to a DFS staff member, DFS staff make a concerted effort to quickly\nprocess the prospective interns for preappointment investigation waivers and to\nsubmit their paperwork to OPM for background investigations. However, OPM is\ngenerally taking 6 to 9 months to respond to L-clearance background\ninvestigation requests. Thus, these requests would need to be made several\nmonths earlier in a given year in order to obtain a response from OPM that could\nbe adjudicated for a security clearance in a timely manner. This DFS staff\nmember was aware that OPM\xe2\x80\x99s response time does not allow for results to be\nadjudicated and clearances granted, but said that DFS\xe2\x80\x99 practice is not to cancel\nthe investigation requests because the results can be used to grant clearances to\ninterns who return the following summer. As a point of comparison, the U.S.\nDepartment of State summer internship program also requires security\nclearances for participants, but requires that the students submit their security\nforms by January so that clearances can be issued by May or June of that year.\n\nSUMMARY\n\nBy starting the summer intern hiring process earlier during the fiscal year, NRC\ncan benefit from the dollars it spends on pursuing security clearances for these\nemployees and can greatly reduce the number of occasions where OPM\nbackground investigations need to be canceled because an intern terminated\nhis/her employment prior to the completion of the investigations.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n11.    Begin the hiring process for summer interns 1 month earlier each year and\n       impose a deadline on students to return the completed security package\n       so that security clearances are more likely to be granted prior to or during\n       a summer intern\xe2\x80\x99s employment period.\n\n12.    In accordance with OPM policy, inform OPM when an intern terminates\n       employment prior to completion of the OPM background investigation.\n\n\n\n\n                                19\n\x0c                                                       Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n    OIG recommends that the Executive Director for Operations:\n\n    1.     Submit clearance reinvestigation requests to OPM in time to allow NRC to\n           evaluate results in the year the reevaluation is due in accordance with MD 12.3.\n\n    2.     By the end of FY 2004, submit requests for OPM reinvestigations for employees\n           with clearances not based on current standards.\n\n    3.     Establish performance measures assessing the timeliness of NRC\xe2\x80\x99s\n           reinvestigation program.\n\n    4.     Eliminate the yes/no boxes from the DFS portion of the separation-clearance\n           form, and require signature for steps completed in this part of the process.\n\n    5.     Fully implement existing agency policy concerning termination of consultants.\n\n    6.     Fully implement existing agency policy concerning termination of regional\n           employees.\n\n    7.     Issue agency guidance specifically concerning return of consultant and regional\n           employee badges to DFS.\n\n    8.     Issue specific data entry guidance to DFS staff responsible for entering data into\n           IPSS.\n\n    9.     Formalize the ongoing IPSS data cleanup effort by documenting this effort. This\n           documentation should include a discussion of resources assigned to the effort\n           and a timeline for completion.\n\n    10.    Establish and implement a procedure to validate data accuracy at least annually.\n\n    11.    Begin the hiring process for summer interns 1 month earlier each year and\n           impose a deadline on students to return the completed security package so that\n           security clearances are more likely to be granted prior to or during a summer\n           intern\xe2\x80\x99s employment period.\n\n    12.    In accordance with OPM policy, inform OPM when an intern terminates\n           employment prior to completion of the OPM background investigation.\n\n\n\n\n                                            20\n\x0c                                                 Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\nV. AGENCY COMMENTS\n\n        On March 9, 2004, the Executive Director for Operations provided comments\n        concerning the draft audit report. We modified the report as we determined\n        appropriate in response to these comments. Appendix B contains both NRC\xe2\x80\x99s\n        comments and our specific response to each.\n\n\n\n\n                                      21\n\x0c                             Review of NRC\xe2\x80\x99s Personnel Security Program\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                 22\n\x0c                                                     Review of NRC\xe2\x80\x99s Personnel Security Program\n\n                                                                                    Appendix A\nSCOPE AND METHODOLOGY\n\n        This audit reviewed U.S. Nuclear Regulatory Commission (NRC) personnel\n        security program policies and practices pertaining to employees to determine\n        whether (1) NRC is in compliance with external and internal personnel security\n        requirements and (2) NRC\xe2\x80\x99s personnel security program is efficiently managed.\n        The audit focused specifically on NRC employees working in NRC headquarters\n        and regional office facilities.\n\n        The Office of the Inspector General (OIG) audit team reviewed relevant criteria\n        such as The Atomic Energy Act of 1954; Title 10, Part 10, of the Code of Federal\n        Regulations, \xe2\x80\x9cCriteria and procedures for determining eligibility for access to\n        restricted data or national security information or an employment clearance\xe2\x80\x9d;\n        Executive Order 12968, \xe2\x80\x9cAccess to Classified Information\xe2\x80\x9d; Management Directive\n        and Handbook (MD) 10.6, \xe2\x80\x9cUse of Consultants and Experts\xe2\x80\x9d; MD 10.8,\n        \xe2\x80\x9cClearances before Separation or Reassignment\xe2\x80\x9d; MD 12.3, \xe2\x80\x9cNRC Personnel\n        Security Program\xe2\x80\x9d; and other agency and Federal documents.\n\n        Auditors interviewed staff in the Division of Facilities and Security, the Office of\n        Human Resources, and the Office of the Chief Financial Officer (OCFO) to better\n        understand the processes related to security clearance processing and an\n        attorney in the Office of the General Counsel to better understand the agency\xe2\x80\x99s\n        requirements for denying final pay. Auditors interviewed an Office of Personnel\n        Management security appraisal officer to determine NRC\xe2\x80\x99s compliance with\n        external requirements and staff at the Department of Energy, the Department of\n        Homeland Security, and the National Aeronautics and Space Administration to\n        learn about personnel security policies and practices at those agencies. In\n        addition, auditors reviewed personnel security case files and payroll files to\n        quantify the frequency that employees complete the security portion of the\n        separation clearance process. Auditors compared information in the personnel\n        security program\xe2\x80\x99s paper files to the corresponding information in the automated\n        files in order to assess the reliability of NRC\xe2\x80\x99s personnel security data and other\n        issues. Auditors also followed the guidance of an OCFO statistician to analyze\n        the outcomes of these file reviews.\n\n        This work was conducted from January 2003 through December 2003, in\n        accordance with generally accepted Government auditing standards and included\n        a review of management controls related to audit objectives. The work was\n        conducted by Vicki Foster, Senior Management Analyst; Judy Gordon, Senior\n        Management Analyst; Beth Serepca, Team Leader; and Rebecca Underhill,\n        Management Analyst.\n\n\n\n\n                                         23\n\x0c                                   Review of NRC\xe2\x80\x99s Personnel Security Program\n\n                                                                  Appendix B\nAGENCY COMMENTS AND OIG RESPONSE\n\n\n\n\n                          24\n\x0c                                                           Review of NRC\xe2\x80\x99s Personnel Security Program\n\n                                                                                          Appendix B\nOIG RESPONSE\n\n Below are the agency\xe2\x80\x99s comments to the draft audit report and OIG\xe2\x80\x99s response to each\ncomment. NRC\xe2\x80\x99s comments appear in bold italics.\n\n 1. Page 1, Background 2nd paragraph - The 3rd sentence is only true for NRC employees,\nnot for all Federal employees.\n\n This sentence (which appears on page 1, paragraph 2, of this final report) is accurate as written\nper U.S. Office of Personnel Management Federal Investigations Notice, Letter 97-02, therefore,\nwe made no modification to the wording.\n\n 2. Page 9, paragraph at top of page - We disagree with OIG\xe2\x80\x99s characterization that NRC\nreinvestigations were not timely. NRC is required to initiate re-investigations in the year\nthe re-investigations are required, but is not required to submit them to OPM in the same\nyear.\n\n We modified the draft report wording (which appears on page 6, paragraph 3, of this final\nreport) to clarify that NRC submitted requests for the 125 employees too late for NRC to meet its\nown reinvestigation timeliness requirements, which hold the agency to a higher standard than\nOPM\xe2\x80\x99s requirements.\n\n 3. Page 9 - The last sentence on the page is not accurate. NRC\xe2\x80\x99s investigative standards\nare appropriate and consistent with Federal guidelines.\n\n The statement (which appears at the end of the first paragraph on page 7 of this final report) is\naccurate as written because the 426 employees have L clearances based on a type of\ninvestigation which, since 1997, has not been used to reinvestigate individuals with this type of\nclearance. While agencies are being given time to come into compliance with the current\nstandards, the fact remains that these 426 clearances are not based on the current standards.\nTherefore, the wording remains unchanged.\n\n 4. Page 12, Recommendation 1 - There is no NRC or Federal requirement that\ninvestigative results be returned and evaluated within the 5- or 10-year re-investigation\nperiod. OPM will not guarantee a time frame for completion of the investigations. This\nrecommendation should be deleted.\n\n We modified the wording of this recommendation (now on page 9) to clarify OIG\xe2\x80\x99s intent that\nNRC follow MD 12.3 reinvestigation requirements to reevaluate employees with Q clearances\nand LH designations at least every 5 years and employees with L clearances at least every 10\nyears.\n\n 5. Page 12, Recommendation 2 - NRC investigations are in compliance with Federal\nguidelines as acknowledged on the bottom of page 11 of the draft report, \xe2\x80\x9cOPM officials\nsaid that NRC\xe2\x80\x99s interpretation of federal requirements is acceptable.\xe2\x80\x9d\n\n\n\n\n                                                25\n\x0c                                                        Review of NRC\xe2\x80\x99s Personnel Security Program\n\n Although OPM officials said NRC\xe2\x80\x99s interpretation is acceptable, OIG intends that NRC complete\nthe ongoing DFS effort to bring these individuals into compliance with the current standards.\nDFS has recognized this issue and has already been engaged in such an effort on an ad hoc\nbasis as noted on page 7 of this report. Recommendation 2 (page 9) remains unchanged.\n\n\n\n\n                                             26\n\x0c'